EXCLUSIVE: Palo Alto analyst unwraps mentality of cybercrime

Infosec Europe is an event where thousands of cybersecurity professionals gather to share in knowledge, experiences, and insight.

We were able to catch up with Palo Alto Networks threat intelligence analyst Alex Hinchliffe to get an idea of his thoughts on cybercrime at present and where he believes it is going in the future.

News of huge cybersecurity breaches seem to be plastering the headlines every week, and so in light of this, we asked Hinchliffe if he believes it’s because they’re happening more often or whether we’re just becoming more aware.

“It’s a combination of the two in my opinion. Especially with the implementation of GDPR, organisations will be putting more processes in place to handle breaches,” says Hinchliffe.

“Public announcements about breaches will also increase as organisations strive to become more transparent with their customers; after all, doing otherwise could do irreparable damage to one’s brand image. That, when combined with the ever-present social media, mean data breaches rarely escape widespread public visibility.”

Hinchliffe quoted previous Verizon DBI reports that revealed the time it takes to discover a breach has reduced over time but it still hasn’t managed to keep pace with the even shorter amount of time it takes to compromise a machine or network.

“Despite best efforts to define policies and processes and use technology to enforce them effectively, humans can still be socially engineered to make mistakes; and systems and applications can be vulnerable to exploitation,” says Hinchliffe.

“Adversaries know this and persist with their attacks until they find the weak links in a chain to attack. Given they have tools and automation to do this, it should come as no surprise that they are often successful too, hence the perception of higher numbers of data breaches.”

Recent reports have purported cryptomining to be a more popular malicious method of attack for cybercriminals than ransomware – Hinchliffe says he can understand why given its lack of complexity.

“We’re seeing signs of a move away from ransomware and an uptick in cryptocurrency related threats. Not just mining or cryptojacking either – the unauthorised use of someone else’s computer to mine cryptocurrency – but other threats too, such as stealing credentials and/or wallet information from victims’ computers or devices through traditional Trojan malware, such as information stealers or Remote Access Trojans (RATs),” says Hinchliffe.

“Unit 42 has discovered other threats, such as ComboJack capable of overriding a victim’s wallet ID in their system’s clipboard with their ID, so any potential future transactions may be routed to the attacker’s wallet instead of the intended destination.”

When it comes to the shift from ransomware to cryptocurrency, Hinchliffe says it all makes sense when you consider the steps involved.

“Ransomware must encrypt data and provide the ransom message. The victim, most likely, must create a digital wallet, fund it, and make a transaction, all of which may be alien to them. For this reason, and others, many attackers provide tech support options to help the victim that then eat into their profits. Traditional data breaches with exfiltration may take days, weeks or even months of work by a skilled adversary and even when they have the right data, they need to find a buyer, interact with criminals, money mules and others to get their pay-out,” says Hinchliffe.

“Conversely, with cryptocurrency mining, as soon as the program is running on the device natively, or in a web-browser using JavaScript libraries available, the adversary potentially starts earning money. Likewise, if they replace a victim’s wallet ID with their own, or steal credentials to online wallets hosting on exchanges which are also susceptible to breaches, as per the Japanese NEM breach leading to a loss of US$534 million worth of the cryptocurrency owned by many of their clients.”

In terms of the ethical implications behind cryptomining given that it usually uses a victim’s device unobtrusively when it is inactive, Hinchliffe says it is a very interesting conundrum.

“Somewhat like Potentially Unwanted Programs (PUPs) or greyware, the tools, code and programmes used to mine cryptocurrency are legitimate and used as such. However, the context around how they are running could be the reason for detection as malware. For example, if malware infects a system due to user complacency or exploitation of a system vulnerability, and uses their resources for mining without their consent, it’s not legitimate,” says Hinchliffe.

“Likewise, with JavaScript based mining software, it’s not ok for website owners to use their visitor’s CPU to mine CPU through their web-browser irrespective of whether the site has been compromised or not. As for enterprise networks, businesses should consider the risk of such threats and plan and enforce accordingly. This is especially critical when managing cloud assets. Cloud assets are popular targets for threats given their often infinite scale and high-powered systems.”

Given the sensitive international relations and talk of state-sponsored cyber warfare, Hinchliffe says it’s vital that businesses take proactive action to prevent themselves from being caught in the cross fire and particularly if they provided services for the intended targets, such as for critical national infrastructure.

“A security posture founded on zero trust is therefore critical and possible with advances in cybersecurity platform technologies. It’s important that any organisation is able to adapt their cyber defence capabilities at the same pace that adversaries are evolving their attacks,” says Hinchliffe.

“Threat intelligence is an important element of any organisation’s defence capability, but the challenge facing organisations is being able to process threat intelligence and response fast enough – through either cloud-based security applications or AI - to be effective.”